Avalanche
by Ivanti
CVEs (113)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-42124 | Hig | 0.57 | 8.8 | 0.03 | Dec 7, 2021 | An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover. | ||
| CVE-2024-38653 | Hig | 0.56 | 7.5 | 0.92 | Aug 14, 2024 | XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. | ||
| CVE-2021-30497 | Hig | 0.56 | 7.5 | 0.97 | Apr 6, 2022 | Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can… | ||
| CVE-2023-46262 | Hig | 0.55 | 7.5 | 0.83 | Dec 19, 2023 | An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server. | ||
| CVE-2022-36982 | Hig | 0.55 | 7.5 | 0.74 | Mar 29, 2023 | This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | ||
| CVE-2022-44574 | Hig | 0.54 | 7.5 | 0.65 | Mar 10, 2023 | An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port. | ||
| CVE-2024-47011 | Hig | 0.53 | 7.5 | 0.57 | Oct 8, 2024 | Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information | ||
| CVE-2024-27977 | Hig | 0.53 | 8.1 | 0.02 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service. | ||
| CVE-2023-28127 | Hig | 0.53 | 7.5 | 0.59 | May 9, 2023 | A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure. | ||
| CVE-2021-42133 | Hig | 0.53 | 8.1 | 0.03 | Dec 7, 2021 | An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write. | ||
| CVE-2024-13179 | Hig | 0.52 | 7.3 | 0.62 | Jan 14, 2025 | Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. | ||
| CVE-2024-47008 | Hig | 0.52 | 7.5 | 0.47 | Oct 8, 2024 | Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information. | ||
| CVE-2024-29848 | Hig | 0.52 | 7.2 | 0.64 | May 31, 2024 | An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-13180 | Hig | 0.51 | 7.5 | 0.28 | Jan 14, 2025 | Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011. | ||
| CVE-2024-50320 | Hig | 0.51 | 7.5 | 0.31 | Nov 12, 2024 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. | ||
| CVE-2024-37399 | Hig | 0.51 | 7.5 | 0.28 | Aug 14, 2024 | A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS. | ||
| CVE-2023-41726 | Hig | 0.51 | 7.8 | 0.01 | Nov 3, 2023 | Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability | ||
| CVE-2023-41725 | Hig | 0.51 | 7.8 | 0.01 | Nov 3, 2023 | Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability | ||
| CVE-2022-43555 | Hig | 0.51 | 7.8 | 0.00 | Nov 3, 2023 | Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability | ||
| CVE-2022-43554 | Hig | 0.51 | 7.8 | 0.00 | Nov 3, 2023 | Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability |
- risk 0.57cvss 8.8epss 0.03
An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.
- risk 0.56cvss 7.5epss 0.92
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
- risk 0.56cvss 7.5epss 0.97
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can…
- risk 0.55cvss 7.5epss 0.83
An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
- risk 0.55cvss 7.5epss 0.74
This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- risk 0.54cvss 7.5epss 0.65
An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.
- risk 0.53cvss 7.5epss 0.57
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
- risk 0.53cvss 8.1epss 0.02
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service.
- risk 0.53cvss 7.5epss 0.59
A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.
- risk 0.53cvss 8.1epss 0.03
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.
- risk 0.52cvss 7.3epss 0.62
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
- risk 0.52cvss 7.5epss 0.47
Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
- risk 0.52cvss 7.2epss 0.64
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.
- risk 0.51cvss 7.5epss 0.28
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
- risk 0.51cvss 7.5epss 0.31
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
- risk 0.51cvss 7.5epss 0.28
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- risk 0.51cvss 7.8epss 0.01
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
- risk 0.51cvss 7.8epss 0.01
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
- risk 0.51cvss 7.8epss 0.00
Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
- risk 0.51cvss 7.8epss 0.00
Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
Page 4 of 6